I didn’t catch his name, but a little while ago I heard the “co-founder” of Square say on Bloomberg TV that the Target data breach was no big deal. He said that people didn’t lose any money as a result, either because their account was never actually charged or the bank covered any losses. Ok, but this misses the point. And sure, anyone in the credit card business (and that is how Square makes its money, so reluctance to use credit cards would harm Square rather directly) is going to try to minimize this thing. But it shouldn’t be minimized, it’s a serious problem that requires a serious response.

Let do some simple math to illustrate this. Whenever one of my credit cards has been compromised, either directly or in a data breach, the credit card company cancels and replaces the card. Now this can result in numerous complications. Let me give examples.

We were in Thailand last month when my wife noticed she had voicemail. It was the bank for one of her credit cards reporting that it had been compromised in a data breach. They were cancelling her card and sending a replacement. Great, so now a new credit card would be sitting at home in the U.S. but her credit card was useless on our trip. Fortunately we carry multiple credit cards on our trips in case of just such a situation. Imagine if we’d actually followed conventional advice and taken only a single card?

Want to extend this? If you used a Debit Card at Target at least one bank limited use of those cards until they could issue replacements. Now imagine you are away from home, and away from a branch of your bank, when this happens. Or it’s just a weekend. For extremeness sake let’s say you were out of the country. And you were relying on ATM’s to get local currency for your trip. And now your debit card either doesn’t work or is limited to small withdrawals. Worse, if you use it multiple days your bank will assume it is stolen and block it. How do you get the cash to complete your trip?

Besides the point that just the occurrence of a data breach can cause significant real world repercussions, data breach lead to a huge cost in time, effort, and incidental costs. My wife was on the phone with her bank for about 30 minutes, and that just the initial effort, while the hotel car service (which charged by the hour) waited to take us into town.

Let me broaden this example. First, there are the charges that are in-flight when you cancel a card. You applied for a policy under Obamacare and gave a credit card for the initial payment, a convenience many insurance carriers provided. But that was submitted on paper (even if then faxed or scanned and emailed, because that’s what they also required) and they don’t charge the card until close to the due date. When they do go to charge the card the charge fails because the card has been cancelled. How much time and effort does that take for you to correct? Or in the worst case, what if you miss the due date and end up without insurance. Data breaches have consequences!

Note, the Obamacare scenario is not so far-fetched. We sent our new insurance carrier information before we left the country and returned very close to the deadline. Had a problem occurred, and the insurance carrier only notified us by U.S. Mail (which seems to be the only form of communication they understand), we could have ended up without insurance on January 1st. My highest priority on our return was to collect the paper mail from the post office and find confirmation from the insurance carrier that we were insured.

Keep in mind all the places that have your credit card information for automatic bill pay, or just making life simpler. Another example, you go to use Amazon’s One-Click and it fails because the credit card was cancelled. One-Click just became a thousand clicks as you go through the screens to enter a new credit card. So you go logging in to web site after web site changing your credit card information. In some cases you need to do it by phone. In others, by filling out and mailing paper. In my experience the total time expended on recovering from a credit card breach adds up to between 1/2 and 1 day of effort. And that’s assuming no actual identity theft or serious fraud occurred.

Let me quantify this on a larger scale. Assume a median U.S. income of $50,000/year. Assume 210 work days per year for a daily income of $238. Take the lower end of my time expenditure range and it cost (“time is money”) the average person $119 to deal with the data breach. It also cost them data on their data plan, postage, the cost of phone calls, and perhaps opportunity costs (e.g., the price of the item you were trying to buy on Amazon went up while you struggled with the inability to use your credit card). A more realistic estimate of what the data breach cost the average consumer is on the order of $150 per credit card. In costs that neither Target nor your bank nor anyone else is going to reimburse. And the co-founder of Square says “no big deal”?

If we play this out then 40 million credit/debit cards compromised at Target turns into a non-recoverable cost of $6 Billion to Target’s customers. And the co-founder of Square says “no big deal”?

$6 Billion dollars is a big deal. $150 is a big deal to the average person. And even if you don’t quantify this financially, wasting a half-day of your life every time a business you’ve entrusted financial information to fails to protect it, is a big deal. A VERY BIG DEAL.

14 Responses to Data Breaches ARE a big deal

Your point is why when I travel in my motorhome I always keep at least one credit card in a lock box in the the MH that I never use. At $200+ to fill up if my credit card get canceled for something like this (and it has in the past) I in deep trouble if I don’t have one to use. I swap one out every few months so I know it is still working.

I have little knowledge of how security works (or should work), but your comments do bring to mind a question: Why can’t the card companies force merchants to do something similar to how apps use OAuth? That is, if I want to log in to app X and choose to use one of the identity providers (MS, Google, FB, etc.), app X has no knowledge of my password…it simply transfers me to the authenticating provider, which in turn handles authenticating me and then passes back a green or red light to app X. App X does gain access to some of my personal information and might choose to store that in an unsecured manner. But even if that information was compromised, the hacker couldn’t outright impersonate me without having to re-authenticate (at which point he wouldn’t know my password).

If applied to the credit card scenario, the card number would be important but couldn’t be used by itself to authorize a purchase. So at least this way it minimizes the need to re-issue card numbers in some cases. Or perhaps I just misunderstand the complexity of it all.

That approach already exists. For example, V.me and Paypal redirect to the payment provider’s site. The problem is low adoption. The merchants don’t want abandoned transactions, so they still offer the ability to enter a raw credit card number. And given that choice, consumers aren’t going to bother to sign up with another provider.

There’s also Verified by Visa. *After* entering your credit card number, the merchant has the option to redirect you to Visa’s site for additional authentication. Again, low adoption problem. The merchant gets a lower discount rate due to the lower risk of fraud, but the consumer gets nothing except an extra password. So why would anybody sign up?

There’s also the smartcard approach. We’ll get another crack at smartcards in October 2015, when EMV cards (chip-and-PIN) come to the US. Of course, that suffers from an even higher adoption barrier — you need an EMV smartcard reader in order to take advantage of it for online shopping. American Express tried to seed the market by giving out free smartcard readers around 2001 — it didn’t work.

Amex started converting everyone to chip-and-sign cards last year because in some foreign countries the merchants stopped accepting cards that didn’t have a chip in them. Still not chip-and-pin, which would be much safer.
But even with the extra safety the credit card companies are going to cancel and replace cards if the base information is compromised.

In this case they did not cancel. Reporters who contacted banks found that Target had not informed banks proactively. Some banks went to the fence’s site, found cards with their own prefix, tested and verified them to be true. They actually bought from the fence to test and figure out what was going on. Target’s behavior is unbelievable.
The problem is that it is treated as a cost of business – in other words the cost of fraud gets paid by card holders and merchants. The card companies have little incentive to implement any stronger scheme. As for the comparison to OAuth, the card companies see themselves in the role of OAuth. They would see any attempt to force independent authorization upon them as an attack on their business.
The Verified by Visa scheme is an improvement but I’ve had it on my card for a couple of years now and it barely ever triggers even though I use that card a lot. If anything it seems less used now than a year ago, though the total count is not enough to be statistically significant. I’m guessing they have written it off as a failure by now.
The only times my card ever triggers their fraud detection is when I or my wife use it and are travelling. On a recent vacation one card went dead. Of course they tried to phone me. My phone rang at about 3 in the morning and by the time I got to it they had hung up and the international call of course had no caller ID. When I got back I shouted at them a bit and asked if they could use SMS or email for this purpose and they said they had no system for that.
Meanwhile they compete to suck ever more blood out of retail with escalating “cashback” and other gimmicks which the retailers have no say in. The recent victory of merchants having the right to offer discount for cash was a step, although it won’t do much.
The credit card industry is a dinosaur with all the signs of a thoroughly rotted monopoly.

After twice having ATM and credit cards breached we had our credit files frozen in 2007. In 2009 our Redmond home was burglarized and the thieves were able to obtain our social security numbers and passports (our daughter had left the safe open). There were no accounts opened or other identity theft issues because of the credit freeze. It is a mild hassle to have the freezes lifted in the event you need a mortgage, new credit card or other type of loan, but well worth the effort. The three major credit bureaus (Transunion, Experian, Equifax) have instructions on how to place a freeze on their respective websites.

If those breached cards are used in fraudulent card-not-present transactions (such as all of e-commerce), the bank doesn’t cover the loss — the e-commerce merchant does. The consumer thinks they’re covered, and it’s no sweat off the issuing bank’s back because they pass it off to the acquiring bank, who very nearly always passes it off to the merchant — who passes it back to all of their consumers by raising everyone’s prices to cover the new loss. It’s a completely busted system, but the banks have no incentive to fix it.

Understand the bak and cardholder never pays, it is always the merchant that takes the card. At least that is the way it works in the US. Any merchant with a basic business insurance policy also has coverage for this, so it really does not cost them anything either. Add to this the fact the issuing card company will never press charges even if you have the person using the card in custody and you see this is a non-crime in the US.

Of course there are going to be hassles for cardholders, but the way it is structured makes it nearly impossible to change.

Basically, I will have to disagree with this article. I believe Target has been unfairly targeted (no pun intended) on this matter.
We have several credit cards and use them for every transaction we can, we do not carry balances, but use the different cards as a way of sorting and accounting for different charges to our businesses. We travel a lot.
The first thing we do when traveling is notify our credit card company that we will be out of state or out of the country. We too, had our main credit card compromised while we were in Italy and it had to be cancelled. The bank issued a new one and sent it Fed Ex to where we were staying in Italy. It was pretty painless.
We use Bank of America Visa’s, they are very vigilant about security. We have had one or more of our credit cards cancelled and re-issued by them on 6 different occasions over the past few years. It’s quite a hassle, I agree. But, that is what happens in this day and age with our data flying around in cyber space. I don’t believe Target should be ostracized for it.

I did not ostracize Target, I attacked the general proposition that breaches are no big deal. It is the attitude that they are no big deal that is allowing them to continue with such regularity.

To some extent I agree that Target is the victim here and is being unfairly treated as complicit in the theft. However it is also looking rather likely that their IT security practices were weak. In particular I’m concerned that they ignored the PCI (the standard they are supposed to follow to handle credit/debit cards) requirement that their payment systems be on a (virtually) isolated network from the rest of their network. Had they done this then the breach of their corporate network would not have allowed the attackers to access the payment card information. Recent reports that they ignored alerts from their IDS (Intrusion Detection System) worry me less because these things are notorious for false positives. So taken in isolation I don’t hold this against them, but taken in concert with other revelations it points to their not taking information security seriously enough.

Over the course of the previous decade there was a dramatic shift in how IT was viewed. In the 90s IT was considered a strategic investment that would give organizations a competitive advantage over their peers. Budgets and staff grew dramatically, and prioritization was less about money and more about availability of people capable of doing the work. Sometime in the 00s, after organizations had created their Internet presence, their ecommerce systems, migrated from home-grown to packaged ERP systems, deployed CRM, etc. IT was reclassified from “Investment” to “Cost”. IT budgets came under pressure and departments now struggle to justify their spending. In such an environment how do you make sure that Information Security is top of mind for the entire CxO community? I think that often it doesn’t even make the Top-5 list for the CIO, let alone the CEO, CFO, etc. About the only way to raise the priority of Information Security at the CxO level is to make sure that lapses result in maximum pain, and thus force them to prioritize it as well as sending a message to their peers in other organizations. I also think this is a far more effective approach than anything that government can do with legislation, which always comes with huge negative consequences.

As much as I wish Target, which is one of my favorite stores, didn’t have to be the ones taking all this pain the reality is that we needed a wake-up call of this magnitude.

That was a very good reply. And having read it, I understand the larger picture that I’d not thought about before. I think you are correct about this sending a red flag to all corporations, who deal with customer data security and hopefully it will make them more vigilant.
My reply about Target being ostracized, wasn’t really intended for you only, I got off track and was expressing frustration with the media/press. Who, for a time I feel, were just joining the “band wagon” about reporting on Target’s security breach and when the press does that, it can have such serious consequences.
I had a Target card when this happened, and I still have it, and use it. For me it just wasn’t as big of a worry, that I thought the press made it out to be.